Since nowadays passkeys are getting some attention, I expect the number of sites supporting resident-keys/passkeys to increase. Good to hear that you are working on increasing the number of slots. Can you please provide an estimate, when this will become available? I made reference to CTAP2.2 because it was mentioned in the blog post and as an example of something beyond the original announcement. I was not implying that I had a use case for CTAP2.2, just that it would be interesting to know what else is in the pipeline. fido-authenticator #19 is one example that I would consider security relevant. It allows a local attacker to gain access to secrets generated with the hmac-extension even if during the generation of the secret user-presence was requested. In my opinion this gives a false sense of security, "nothing can happen without touching the NK" is no longer true in this case.